Bug 812920

Summary: yum does not need --nogpgcheck for installing unsigned package.
Product: Red Hat Enterprise Linux 6 Reporter: Dimitar Yordanov <dyordano>
Component: yumAssignee: James Antill <james.antill>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-16 15:45:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Unsigned RPM none

Description Dimitar Yordanov 2012-04-16 14:55:30 UTC 
Description of problem:
yum does not need --nogpgcheck for installing unsigned package.

Version-Release number of selected component (if applicable):
RHEL6.2
yum-3.2.29-22.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Copy the RPM attached to this BZ to an RHEL6.2 machine.
2. "cd" to the download folder.
3. Make sure gpgcheck is enabled

    # grep gpgcheck  /etc/yum.conf 
    gpgcheck=1

4. yum install -y test-regular-test_sw_system_snapshot_fri06apr2012_07_28_52_24962-0.1-1.x86_64.rpm
  
Actual results:
The package is installed.

Expected results:
Package test-regular-test_sw_system_snapshot_fri06apr2012_07_28_52_24962-0.1-1.x86_64.rpm is not signed


Additional info:
Comment 1 Dimitar Yordanov 2012-04-16 14:56:43 UTC 
Created attachment 577737 [details]
Unsigned RPM
Comment 3 James Antill 2012-04-16 15:45:53 UTC 
That's a local package, so it's controlled by:

              localpkg_gpgcheck  Either  `1' or `0'. This tells yum whether or
              not it should perform a GPG signature check  on  local  packages
              (packages in a file, not in a repositoy).  The default is `0'.
Comment 4 Dimitar Yordanov 2012-04-17 07:07:28 UTC 
Hi James, 

  The problem is that RHEL5 (yum-3.2.22-39.el5) does not respect "localpkg_gpgcheck" and default behaviour for local packages is to check for gpg.
  This makes scripts that works just fine on RHEL5 to fail on RHEL6.

Dimi